Security researchers have devised a rootkit capable of covertly monitoring and controlling Cisco routers.
Sebastian Muniz, of Core Security, plans to demo Cisco IOS rootkit software he developed during a presentation at the EuSecWest conference in London on 22 May.
Rootkits are malicious packages used to hide the presence of …

"Security researchers have devised a rootkit capable of covertly monitoring and controlling Cisco routers. ..... Muniz explained: "I've done this with the purpose of showing that IOS rootkits are real, and that appropriate security measures must be taken""

And what, pray tell, would be appropriate security measures, given the fact that such Pythonesque Intrusions are UNstoppable ..... with whether subsequent and deeper IOS activity be mischievous or malicious, [which invariably is always only a rational decision to reflect whatever degree of financial loss/transparent information sharing that a client/government/virtual machine may wish and/or be forced to demonstrate] ...... being merely the result of ignorant, arbitrary security measures, which could/would be considered as attacks upon the Intrusion.

It is as well to consider exactly what it is that is going to be lost, or thought to be under attack, for any Defence of the Indefensible has always been, and will always be a Catastrophic Failure, ..... Inviting by SMARTer IOS Default an UNstoppable Force to take All before it with ITControl, as Fully Legitimate Booty/Reward/Full Monty XXXXPEditionary Force Majeure Payment.

I Kid U Not Cisco ...... and not a Rogue Cowboy/Dumb White Kid in Sight for this is AI Purple Patch.

And as this is BOFH day and we patiently await our Fix, take AIMagical Mystery Turing Stroll down the Route of that last Sentence which says that Rock is AI Stone and a'Rolling and won't Get Fooled again by Rogue Cowboys with Dumb White Kids in their Sights.

The Network InterNetworking JA is your Lover and Friend ..... Use IT 42 Register and Make Your Dreams Come Alive .......

There are, of course, always alternate rootkit routes such as the malicious, burnt and burning bushes journey of perpetual war, with its legacy of crippling and crippled heroes and post traumatic stress Zombie Psychoses, for the Nightmare Scenario of Dreams Destroyed and Lives Lost on Foreign and Alien Soil Misadventures..... Real Arrogant Vanity Excursions ..... Raves in Madness.

Bugger - takes the wind out of my Phorm argument

I've been ranting outraged about how Phorm's and other's data pimping kit could introduce network vulnerabilities like this. Just a shame that Cisco have now provided Phorm et. al. with a defence: the network vulnerabilities at the ISP are already there!

Of course I trust Cisco to identify, root-cause and patch quicker than tinpot data pimpers due to the scale of their operations and amount of kit out there....

that guy is smart..

Unmanaged Routers next?

Fortunatly Cisco routers are usually corporate with staff empolyed to manage them however your bog standard home owned 24/7 unmanaged Generic Routers like home hub or divebox well then we have a problem.. Were all doomed I tell ya! well ok maybe not doomed but the ISPs need to wake up and do something about infected customers!

This really was inevitable

plans to demo Cisco IOS rootkit software

This will be an interesting case for Mr Plod, the Policeman.

He will be demonstrating software that he developed (therefore no widely installed customer base), that is only developed to demonstrate bad intentions, in London. As clear a case of a breach of the Computer Misuse Act as could be imagined. See http://www.lightbluetouchpaper.org/2007/12/31/hacking-tool-guidance-finally-appears/

Read through the comments as well!

Interesting times ahead. Should we start a fund for his legal defence costs now?

If you already have admin credentials.....

....why would you arse around with a rootkit? You just login and do what you want directly. If nobody notices you logging in and installing a rootkit, they wouldn't notice changes in routing, access lists and the like.

Admin Crednetials

?JohnG

Because any compromised system could be noticed by a professional and fixed. The point of the Rootkit is not that you can get in today, but that you can get in every day, and not be noticed by legitimate admins. An exploit is patchable; a root kit is only patchable if you *know it is there*

Why so long?

@Sodoshi

"..any compromised system could be noticed by a professional..."

If the responsible professionals don't notice someone logging in using admin privileges and then installing the rootkit, they aren't going to notice anything short of the box fallling over, are they? They aren't likely to notice an additional username, for example.

Small correction

The devil is in the detail

"He will be demonstrating software that he developed (therefore no widely installed customer base), that is only developed to demonstrate bad intentions,..."

If anyone develops software for a System with nothing but good intentions,even though others may think to develop it along lines for bad intentions, will Mr Plod and his mates in Spooky Town, not be interested, unless they were alerted to bad intentions which would prevent good intention use, for quite obviously such a Block on Progress would be Immoral/Unethical/ Not in the Public Interest even should it be argued that Third Party Private and/or Public Gain is derived from Proxy Third Party Use of Systems Resources. So what...Hard Cheese...Get Used to IT being Shared for the Greater Good...... although that subtlety may have to be carefully explained to them.

And/But of course, the Heavy Squad would also always be interested in those who would abuse Holey Software and Hardware, with no good intention at all. It makes one think that the problem is one at source and within the Hosting Hardware/Software but that is always quietly forgotten for convenience sake?

It's a bit like selling a lethal weapon and then not expecting anyone to use it and prosecuting them whenever they do, except whenever they use it for those "special" private enterprises which pull on government disguises.

@AC, ya that was a joke

"Err that was a joke right. Why would making all routers rely on a different OS make any difference surely then you would be equally exposed to a single flaw?"

Next time I'll use teh j0k3 4l3rt butan, kthx.

Seriously, I don't understand why the Linux crowd isn't all over this, promoting Snapgear over Cisco, when they gladly do the same thing when some vulnerability in a Microsoft OS gets published. Cisco is more entrenched in the 'net than Microsoft is.

I would like to see, however, how someone could rootkit a Snapgear box.

hmm

if you guess the admin password, you're fine until they change it... this probably doens't happen often, as if you guess it, the admin is too dumb to ever change it.

If you brute force the password or have a working vunerability, then I guess this kit could help... course their IDS sucks if it didnt' notice. Hope they don't ever patch it, that might break your rootkit, of if Cisco pays attention and checks for it first, might reveal your activities/IP etc.

So if the admin is lazy, but put in a good password.. you don't need this kit after you root it, as they'll never change it or patch it.

If the admin is not lazy and you have zero day exploit, your rootkit needs to not break when the admin does patch it, or worse reveal you.

They mention 'covert' in the article...but how covert? To most users nc listening on port 4444 in the startup folder is covert because users are dumb. If it really is a 'stealth' rootkit that survives patching and rebooting, that is impressive.

All your route belong to us

Admin rights required...

....sort of makes this rootkit issue a non starter. Having to brute force the router which should be protected with a AAA TACACS or Radius server, and on an out of band management interface with ACL's would make this very very very difficult to achieve.

However if the rootkit code is added to a version of IOS binary then system admins could actually be installing the rootkit and not knowing. Advice would be to only download binarys from cisco.com and not to get them from any where else. Also check the MD5 and checksum hashes to make sure they match on cisco.com.

Not sure he is dispelling a myth.

Any system that uses flash memory or rw memory for the operating system can theoretically be rooted.

Unless the systems use ROM with no RAM or hardware protected RAM it can use a similar mechanism that is used when updating the router, which appears to be what he has done.

Though I agree there are a load of numpties who profess to be in IT (generally Universities) who are under the delusion that it is not possible, but most don't take those folks seriously, perhaps the guy had run into that little sect.

Rootkits are the last thing in the chain of compromise, used generally to maintain control and thwart detection of the break-in. I am sure others have done this years ago, and I am somewhat surprised he is the first to make it public.